Now is a good time to re-set your Twitter password and disable Java in your browser

Beneath what may be the most passive-aggressive hack disclosure blog post title ever, Twitter today disclosed that it, too, has been compromised by hackers.

At least 250,000 user accounts were affected.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” said Twitter’s director of information security Bob Lord in the blog post titled "Keeping our users secure."

"Holy shit you guys a quarter million of your accounts wuz hacked!!1!" is more like it.

"China did it" is a reflexive response we're seeing around the web now, after recently confirmed reports that Chinese hackers targeted the New York Times, The Wall Street Journal, The Washington Post, and other high-profile sites—but Twitter has said nothing about the suspected origin of the attack. Looks like a well-known Java vulnerability is one common link.

As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.

I noticed that Twitter was down or unreachable, off and on, for what seemed like a few hours yesterday morning. I wonder if the brownout was related to this news.

From chatter on Twitter, it seems that most of the affected accounts were older, or "owned" by users who had really early accounts? For what it's worth, I was user #767, and my account was affected: I received a password reset prompt this afternoon. But the tweets you see from @xeni promoting Viagra, raspberry ketones, and work-from-home schemes involving lonely Russian ladies? That's all me, guys.

Twitter hasn't disclosed detail on the perpetrator or method behind the breach. Perhaps we'll hear more soon.


  1. Seems like it’s probably an even better time to re-set your Facebook, iTunes, Google, YouTube, Pinterest, Tumblr, etc., etc. password.

    1.  Dammit! I’ll have to change all these passwords from “password” to “1234password” now!! FML

    2. This is a valuable lesson in why you should use a password locker of some flavor.  When one of these sites gets hacked, I just setup another random string for a password and call it a day.  If all your passwords are different, you don’t need to trust anyone to secure your password.  Toss on a layer of 2-step into your e-mail and baking stuff and you are golden.  You are not impervious to an attack, but you are far harder than most people and probably only are vulnerable if someone is specifically out to get you personally.

  2. So 250,000 people are going to get an email claiming to be from Twitter saying their passwords have been compromised and they need to create new ones.

    Somehow, just somehow, I think a few more than 250,000 people are going to get email claiming to be from Twitter saying their passwords have been compromised and they need to create new ones. 

  3. There are so many zero day Java exploits in the wild, unless you have a clear need to have it enabled in your browser (and no, Minecraft doesn’t count, download the standalone) you should have it OFF.

  4. It’s OK. After the last twitter compromise, I used a random-password generator. My password for twitter is now


    if you can believe that. Takes me forever to type, but there’s no way it’s going to be cracked.

    1. I seem to recall seeing something that said password length matters a lot more than special characters, so wouldn’t something like this be quite secure?


      1. It’s the other way round.  If you have 6 characters, all lower case, you have 26^6 possible passwords, easily brute-force broken.
        Use upper and lower case; 52^6;
        add ten digits;  62^6;
        add 10 other chars; 72^6; at present, almost unbreakable. 
        This works even better with 8 characters.

        1.  Only if you’re choosing fully at random among the character set for your password.  Which you’re not.

        2. I think you’ve missed what Kimmo was suggesting/enquiring about: Rather that using 6 characters chosen from a set of 72, isn’t it better to choose more than 6 characters from a set of 26?

          The answer is yes, so long as you choose 8 or more characters:

          72^6 ~= 139 billion
          26^8 ~= 208 billion

          (And importantly, as per the XKCD reference, it can actually be *easier* for a human to remember a 20-character password made up from the lowercase alphabet, than it is to remember a 10-character password made up from a set of 72.)

    1. The html interface to a lot of Oracle systems use java, which means lots of people in very large companies have to have it turned on, at least in one browser.

    2. As ohbejoyful says – lots and lots of enterprise-y systems rely on Java on the desktop, to overcome the horribleness of IE 6, which the entire organization is stuck using because their online timesheet system isn’t supported on other browsers (it may work better on other browsers, but it isn’t supported).

  5. My computer expertise is limited to some very specific applications. Outside of those, I’m only moderately competent, so I think I missed something important in this discussion.

    Yesterday, I disabled Java (in Google Chrome) and tried navigating the web. Most of the sites I use regularly, for work and entertainment, stopped working. There were key functions I simply couldn’t use without Java enabled. Is there a workaround for this? Or is it simply a choice between usability and safety?

    1. Make sure you’re not mistaking Javascript for Java (they’re not the same). The former is very commonly used, the latter much less so. You’d have to have very out of the ordinary browsing habits if most of the websites you use require Java.

      1. Netscape’s strategy of renaming livecript “javascript” was fscking brilliant, eh?  Several million bucks of advertising… paid for by Sun.  Of course in the end Oracle and Microsoft ate them both.

Comments are closed.